Profile Migration Meltdown
ADMT is a lifesaver for nearly all migration tasks.
I have been asking for new computers where I work
to build a new domain, because the current domain has so many problems
and is also tied to a company name twice removed. I have created the two
new domain controllers and now face the task of moving my users to the
new domain. Ordinarily that wouldn't be such a task. I can create the
new user IDs, etc. but where I become confused is keeping the existing
user profile on their desktop/laptops when they move to the new domain.
It appears the new domain will create a new user on the desktop/laptop
and the user won't have access to their pre-existing profile from the
How can I easily move these users to the new domain while keeping their
same local profile?
Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Brian, you're describing a problem that many of us involved
in migrations have had to deal with. Many shops that had dozens of NT
domains often consolidated to one or just a few Active Directory domains
during the migration process. With this in mind, allowing users to retain
their profile data both pre- and post-migration is extremely important.
If you get paid by the hour, the best solution for you would be to do
everything manually (copy the profile folders and rename as needed, then
assign appropriate permissions for the accounts in the new domain). For
the rest of us IT suckers that are paid by salary, I suggest using the
Active Directory Migration Tool (ADMT).
The ADMT installation files are included on the Windows Server 2003 setup
CD in the i386\admt folder. For your specific scenario, ADMT should be
installed on a server in the target domain. This can be done by running
admigration.msi from the i386\admt folder on the Windows set-up CD. Once
you launch the program, just accept all set-up defaults and keep clicking
Next until setup completes. Note that you can also download the ADMT here.
At this point, you should see the ADMT in the Administrative Tools folder
on the server. Prior to running ADMT, you will need to ensure that ADMT's
prerequisite permissions are met. You'll find information on satisfying
the ADMT prerequisites in Microsoft Knowledge Base article 326480,
"How to use Active Directory Migration Tool version 2 to migrate
from Windows 2000 to Windows Server 2003." In your instance, you
will need to ensure that the following conditions are satisfied:
- A trust relationship is created so that the source domain trusts the
- The account used by ADMT has Administrator rights in the source domain,
and Administrator rights on each computer that you migrate.
With the ADMT installed, existing profiles can be translated to match
the new domain by opening the ADMT and selecting Security Translation
Wizard from the Action menu. For details on the steps involved using ADMT
for this purpose, take a look at the online Windows Server 2003 Deployment
Kit article Remigrating User Accounts
and Workstations in Batches. This article does such a great job
outlining the necessary steps that I see no need to waste any of your
time reading some of my additional babble.
While I have armed you with the tools you can use to to solve your problem,
I also strongly recommend that you read the Windows
Server 2003 Deployment Kit book Designing and Deploying Directory
and Security Services chapter "Restructuring
Active Directory Domains Between Forests." In this chapter, you
will see step-by-step procedures of the complete migration process along
with methods for migrating user accounts and profiles via the ADMT command
line tool and via scripts. Every administrator that I have worked with
that has been a part of any large Active Directory migration project has
sworn up and down about how they couldn't have gotten by without ADMT.
Taking so much information from Microsoft and giving back so little has
put a damper on my Christmas spirit. Perhaps to solve this, we should
all send Bill Gates a check this holiday season to show our gratitude!
Of course, it's probably a good bet that some of you may not be feeling
the "Microsoft love" this holiday season. If you've run into
any specific problems with ADMT, I'm sure your fellow readers would love
to hear about your troubles and what you did to solve them. If you're
still in a giving sort of mood, please post your ADMT war story as a comment
to this article.